As recent events have shown, cyberattacks are extraordinarily expensive for the victims. After a breach and data theft, they are forced to spend millions cleaning up the damage, eradicating threats from their networks, fortifying defenses and managing the fallout.
But for the adversaries committing the breaches, it doesn't cost so much. And that's a big problem for the Defense Department, the government and enterprises writ large.
"Today a threat actor can send a fairly modest amount of money, not just on [attacking] DoD but on any sophisticated enterprise, and cause that enterprise to have to spend quite a bit more money — by orders of magnitude — cleaning up and fixing the problem," DoD CIO Terry Halvorsen told reporters on a call on Sept. 15.
He echoed those comments Sept. 17 at the Billington Cybersecurity Summit.
"We are on the wrong side of the cyber economic curve," he said at the summit. "We need to raise barriers to attackers' entry, making it more expensive to play."
But how? The answer is multifold, but at least one aspect is automation, mechanizing some of the basic actions and response involved in cybersecurity maintenance, Halvorsen said.
Automation is key to turning around the economics and coping with the speed of the threat, he said at the summit and on the call.
"Automating eliminates the basic [adversarial] players, makes it so you have to raise your game to play," Halvorsen said. "It reduces the benefit hackers will see and makes it more expensive for hackers to play."
Another key part is establishing a pervasive, standard-operating-procedure culture of cybersecurity throughout entire enterprises and communities. It's a worry that Halvorsen said keeps him up at night.
"How do I get a cyber discipline culture, how do I get a cyber economic culture and how do I get a cyber enterprise culture? I think those are the three things that if we got those, almost everything else comes after," he said. "If I get to the cyber enterprise culture, I'll start doing integrated, layered defenses, I'll use automated tools — [joint regional security stacks are] the cornerstone for that — I'll get the right level of accountability and I will understand the money."
MORE INFO: Learn more about securing defense and federal networks at C4ISR & Networks and Federal Times' CyberCon 2015, held Nov. 18 at the Ritz Carlton in Pentagon City, Virginia.